1 /* $NetBSD: i386.c,v 1.43 2021/12/05 04:47:18 msaitoh Exp $ */
2
3 /*-
4 * Copyright (c) 2003 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This code is derived from software contributed to The NetBSD Foundation
8 * by David Laight.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #if HAVE_NBTOOL_CONFIG_H
33 #include "nbtool_config.h"
34 #endif
35
36 #include <sys/cdefs.h>
37 #if !defined(__lint)
38 __RCSID("$NetBSD: i386.c,v 1.43 2021/12/05 04:47:18 msaitoh Exp $");
39 #endif /* !__lint */
40
41 #include <sys/param.h>
42 #ifndef HAVE_NBTOOL_CONFIG_H
43 #include <sys/ioctl.h>
44 #include <sys/dkio.h>
45 #endif
46
47 #include <assert.h>
48 #include <errno.h>
49 #include <err.h>
50 #include <md5.h>
51 #include <stddef.h>
52 #include <stdio.h>
53 #include <stdlib.h>
54 #include <string.h>
55 #include <unistd.h>
56
57 #include "installboot.h"
58
59 static const struct console_name {
60 const char *name; /* Name of console selection */
61 const int dev; /* value matching CONSDEV_* from sys/arch/i386/stand/lib/libi386.h */
62 } consoles[] = {
63 { "pc", 0 /* CONSDEV_PC */ },
64 { "com0", 1 /* CONSDEV_COM0 */ },
65 { "com1", 2 /* CONSDEV_COM1 */ },
66 { "com2", 3 /* CONSDEV_COM2 */ },
67 { "com3", 4 /* CONSDEV_COM3 */ },
68 { "com0kbd", 5 /* CONSDEV_COM0KBD */ },
69 { "com1kbd", 6 /* CONSDEV_COM1KBD */ },
70 { "com2kbd", 7 /* CONSDEV_COM2KBD */ },
71 { "com3kbd", 8 /* CONSDEV_COM3KBD */ },
72 { "auto", -1 /* CONSDEV_AUTO */ },
73 };
74
75 static int i386_setboot(ib_params *);
76 static int i386_editboot(ib_params *);
77
78 struct ib_mach ib_mach_i386 = {
79 .name = "i386",
80 .setboot = i386_setboot,
81 .clearboot = no_clearboot,
82 .editboot = i386_editboot,
83 .valid_flags = IB_RESETVIDEO | IB_CONSOLE | IB_CONSPEED |
84 IB_CONSADDR | IB_KEYMAP | IB_PASSWORD |
85 IB_TIMEOUT | IB_MODULES | IB_BOOTCONF |
86 IB_STAGE1START
87 };
88
89 struct ib_mach ib_mach_amd64 = {
90 .name = "amd64",
91 .setboot = i386_setboot,
92 .clearboot = no_clearboot,
93 .editboot = i386_editboot,
94 .valid_flags = IB_RESETVIDEO | IB_CONSOLE | IB_CONSPEED |
95 IB_CONSADDR | IB_KEYMAP | IB_PASSWORD |
96 IB_TIMEOUT | IB_MODULES | IB_BOOTCONF |
97 IB_STAGE1START
98 };
99
100 /*
101 * Attempting to write the 'labelsector' (or a sector near it - within 8k?)
102 * using the non-raw disk device fails silently. This can be detected (today)
103 * by doing a fsync() and a read back.
104 * This is very likely to affect installboot, indeed the code may need to
105 * be written into the 'labelsector' itself - especially on non-512 byte media.
106 * We do all writes with a read verify.
107 * If EROFS is returned we also try to enable writes to the label sector.
108 * (Maybe these functions should be in the generic part of installboot.)
109 */
110 static int
pwrite_validate(int fd,const void * buf,size_t n_bytes,off_t offset)111 pwrite_validate(int fd, const void *buf, size_t n_bytes, off_t offset)
112 {
113 void *r_buf;
114 ssize_t rv;
115
116 r_buf = malloc(n_bytes);
117 if (r_buf == NULL)
118 return -1;
119 rv = pwrite(fd, buf, n_bytes, offset);
120 if (rv == -1) {
121 free(r_buf);
122 return -1;
123 }
124 fsync(fd);
125 if (pread(fd, r_buf, rv, offset) == rv && memcmp(r_buf, buf, rv) == 0) {
126 free(r_buf);
127 return rv;
128 }
129 free(r_buf);
130 errno = EROFS;
131 return -1;
132 }
133
134 static int
write_boot_area(ib_params * params,uint8_t * buf,size_t len)135 write_boot_area(ib_params *params, uint8_t *buf, size_t len)
136 {
137 int rv, i;
138
139 /*
140 * Writing the 'label' sector (likely to be bytes 512-1023) could
141 * fail, so we try to avoid writing that area.
142 * Unfortunately, if we are accessing the raw disk, and the sector
143 * size is larger than 512 bytes that is also doomed.
144 * See how we get on....
145 *
146 * NB: Even if the physical sector size is not 512, the space for
147 * the label is 512 bytes from the start of the disk.
148 * So all the '512' constants in these functions are correct.
149 */
150
151 /* Write out first 512 bytes - the pbr code */
152 rv = pwrite_validate(params->fsfd, buf, 512, 0);
153 if (rv == 512) {
154 /* That worked, do the rest */
155 if (len == 512)
156 return 1;
157 len -= 512 * 2;
158 rv = pwrite_validate(params->fsfd, buf + 512 * 2, len, 512 * 2);
159 if (rv != (ssize_t)len)
160 goto bad_write;
161 return 1;
162 }
163 if (rv != -1 || (errno != EINVAL && errno != EROFS))
164 goto bad_write;
165
166 if (errno == EINVAL) {
167 /* Assume the failure was due to to the sector size > 512 */
168 rv = pwrite_validate(params->fsfd, buf, len, 0);
169 if (rv == (ssize_t)len)
170 return 1;
171 if (rv != -1 || (errno != EROFS))
172 goto bad_write;
173 }
174
175 #ifdef DIOCWLABEL
176 /* Pesky label is protected, try to unprotect it */
177 i = 1;
178 rv = ioctl(params->fsfd, DIOCWLABEL, &i);
179 if (rv != 0) {
180 warn("Cannot enable writes to the label sector");
181 return 0;
182 }
183 /* Try again with label write-enabled */
184 rv = pwrite_validate(params->fsfd, buf, len, 0);
185
186 /* Reset write-protext */
187 i = 0;
188 ioctl(params->fsfd, DIOCWLABEL, &i);
189 if (rv == (ssize_t)len)
190 return 1;
191 #endif
192
193 bad_write:
194 if (rv == -1)
195 warn("Writing `%s'", params->filesystem);
196 else
197 warnx("Writing `%s': short write, %u bytes",
198 params->filesystem, rv);
199 return 0;
200 }
201
202 static void
show_i386_boot_params(struct x86_boot_params * bpp)203 show_i386_boot_params(struct x86_boot_params *bpp)
204 {
205 size_t i;
206
207 printf("Boot options: ");
208 printf("timeout %d, ", le32toh(bpp->bp_timeout));
209 printf("flags %x, ", le32toh(bpp->bp_flags));
210 printf("speed %d, ", le32toh(bpp->bp_conspeed));
211 printf("ioaddr %x, ", le32toh(bpp->bp_consaddr));
212 for (i = 0; i < __arraycount(consoles); i++) {
213 if (consoles[i].dev == (int)le32toh(bpp->bp_consdev))
214 break;
215 }
216 if (i == __arraycount(consoles))
217 printf("console %d\n", le32toh(bpp->bp_consdev));
218 else
219 printf("console %s\n", consoles[i].name);
220 if (bpp->bp_keymap[0])
221 printf(" keymap %s\n", bpp->bp_keymap);
222 }
223
224 static int
is_zero(const uint8_t * p,unsigned int len)225 is_zero(const uint8_t *p, unsigned int len)
226 {
227 return len == 0 || (p[0] == 0 && memcmp(p, p + 1, len - 1) == 0);
228 }
229
230 static int
update_i386_boot_params(ib_params * params,struct x86_boot_params * bpp)231 update_i386_boot_params(ib_params *params, struct x86_boot_params *bpp)
232 {
233 struct x86_boot_params bp;
234 uint32_t bplen;
235 size_t i;
236
237 bplen = le32toh(bpp->bp_length);
238 if (bplen > sizeof bp)
239 /* Ignore pad space in bootxx */
240 bplen = sizeof bp;
241
242 /* Take (and update) local copy so we handle size mismatches */
243 memset(&bp, 0, sizeof bp);
244 memcpy(&bp, bpp, bplen);
245
246 if (params->flags & IB_TIMEOUT)
247 bp.bp_timeout = htole32(params->timeout);
248 if (params->flags & IB_RESETVIDEO)
249 bp.bp_flags ^= htole32(X86_BP_FLAGS_RESET_VIDEO);
250 if (params->flags & IB_CONSPEED)
251 bp.bp_conspeed = htole32(params->conspeed);
252 if (params->flags & IB_CONSADDR)
253 bp.bp_consaddr = htole32(params->consaddr);
254 if (params->flags & IB_CONSOLE) {
255 for (i = 0; i < __arraycount(consoles); i++)
256 if (strcmp(consoles[i].name, params->console) == 0)
257 break;
258
259 if (i == __arraycount(consoles)) {
260 warnx("invalid console name, valid names are:");
261 (void)fprintf(stderr, "\t%s", consoles[0].name);
262 for (i = 1; i < __arraycount(consoles); i++)
263 (void)fprintf(stderr, ", %s", consoles[i].name);
264 (void)fprintf(stderr, "\n");
265 return 1;
266 }
267 bp.bp_consdev = htole32(consoles[i].dev);
268 }
269 if (params->flags & IB_PASSWORD) {
270 if (params->password[0]) {
271 MD5_CTX md5ctx;
272 MD5Init(&md5ctx);
273 MD5Update(&md5ctx, params->password,
274 strlen(params->password));
275 MD5Final(bp.bp_password, &md5ctx);
276 bp.bp_flags |= htole32(X86_BP_FLAGS_PASSWORD);
277 } else {
278 memset(&bp.bp_password, 0, sizeof bp.bp_password);
279 bp.bp_flags &= ~htole32(X86_BP_FLAGS_PASSWORD);
280 }
281 }
282 if (params->flags & IB_KEYMAP)
283 strlcpy(bp.bp_keymap, params->keymap, sizeof bp.bp_keymap);
284 if (params->flags & IB_MODULES)
285 bp.bp_flags ^= htole32(X86_BP_FLAGS_NOMODULES);
286 if (params->flags & IB_BOOTCONF)
287 bp.bp_flags ^= htole32(X86_BP_FLAGS_NOBOOTCONF);
288
289 if (params->flags & (IB_NOWRITE | IB_VERBOSE))
290 show_i386_boot_params(&bp);
291
292 /* Check we aren't trying to set anything we can't save */
293 if (!is_zero((char *)&bp + bplen, sizeof bp - bplen)) {
294 warnx("Patch area in stage1 bootstrap is too small");
295 return 1;
296 }
297 memcpy(bpp, &bp, bplen);
298 return 0;
299 }
300
301 static int
i386_setboot(ib_params * params)302 i386_setboot(ib_params *params)
303 {
304 unsigned int u;
305 ssize_t rv;
306 uint32_t *magic, expected_magic;
307 union {
308 struct mbr_sector mbr;
309 uint8_t b[8192];
310 } disk_buf, bootstrap;
311
312 assert(params != NULL);
313 assert(params->fsfd != -1);
314 assert(params->filesystem != NULL);
315 assert(params->s1fd != -1);
316 assert(params->stage1 != NULL);
317
318 /*
319 * There is only 8k of space in a FFSv1 partition (and ustarfs)
320 * so ensure we don't splat over anything important.
321 */
322 if (params->s1stat.st_size > (off_t)(sizeof bootstrap)) {
323 warnx("stage1 bootstrap `%s' (%u bytes) is larger than 8192 bytes",
324 params->stage1, (unsigned int)params->s1stat.st_size);
325 return 0;
326 }
327 if (params->s1stat.st_size < 3 * 512 && params->s1stat.st_size != 512) {
328 warnx("stage1 bootstrap `%s' (%u bytes) is too small",
329 params->stage1, (unsigned int)params->s1stat.st_size);
330 return 0;
331 }
332
333 /* Read in the existing disk header and boot code */
334 rv = pread(params->fsfd, &disk_buf, sizeof (disk_buf), 0);
335 if (rv != sizeof(disk_buf)) {
336 if (rv == -1)
337 warn("Reading `%s'", params->filesystem);
338 else
339 warnx("Reading `%s': short read, %ld bytes"
340 " (should be %ld)", params->filesystem, (long)rv,
341 (long)sizeof(disk_buf));
342 return 0;
343 }
344
345 if (disk_buf.mbr.mbr_magic != le16toh(MBR_MAGIC)) {
346 if (params->flags & IB_VERBOSE) {
347 printf(
348 "Ignoring PBR with invalid magic in sector 0 of `%s'\n",
349 params->filesystem);
350 }
351 memset(&disk_buf, 0, 512);
352 }
353
354 /* Read the new bootstrap code. */
355 rv = pread(params->s1fd, &bootstrap, params->s1stat.st_size, 0);
356 if (rv != params->s1stat.st_size) {
357 if (rv == -1)
358 warn("Reading `%s'", params->stage1);
359 else
360 warnx("Reading `%s': short read, %ld bytes"
361 " (should be %ld)", params->stage1, (long)rv,
362 (long)params->s1stat.st_size);
363 return 0;
364 }
365
366 /*
367 * The bootstrap code is either 512 bytes for booting FAT16, or best
368 * part of 8k (with bytes 512-1023 all zeros).
369 */
370 if (params->s1stat.st_size == 512) {
371 /* Magic number is at end of pbr code */
372 magic = (void *)(bootstrap.b + 512 - 16 + 4);
373 expected_magic = htole32(X86_BOOT_MAGIC_FAT);
374 } else {
375 /* Magic number is at start of sector following label */
376 magic = (void *)(bootstrap.b + 512 * 2 + 4);
377 expected_magic = htole32(X86_BOOT_MAGIC_1);
378 /*
379 * For a variety of reasons we restrict our 'normal' partition
380 * boot code to a size which enable it to be used as mbr code.
381 * IMHO this is bugus (dsl).
382 */
383 if (!is_zero(bootstrap.b + 512-2-64, 64)) {
384 warnx("Data in mbr partition table of new bootstrap");
385 return 0;
386 }
387 if (!is_zero(bootstrap.b + 512, 512)) {
388 warnx("Data in label part of new bootstrap");
389 return 0;
390 }
391 /* Copy mbr table and label from existing disk buffer */
392 memcpy(bootstrap.b + 512-2-64, disk_buf.b + 512-2-64, 64);
393 memcpy(bootstrap.b + 512, disk_buf.b + 512, 512);
394 }
395
396 /* Validate the 'magic number' that marks the parameter block */
397 if (*magic != expected_magic) {
398 warnx("Invalid magic in stage1 bootstrap %x != %x",
399 *magic, expected_magic);
400 return 0;
401 }
402
403 /*
404 * If the partition has a FAT (or NTFS) filesystem, then we must
405 * preserve the BIOS Parameter Block (BPB).
406 * It is also very likely that there isn't 8k of space available
407 * for (say) bootxx_msdos, and that blindly installing it will trash
408 * the FAT filesystem.
409 * To avoid this we check the number of 'reserved' sectors to ensure
410 * there there is enough space.
411 * Unfortunately newfs(8) doesn't (yet) splat the BPB (which is
412 * effectively the FAT superblock) when a filesystem is initailised
413 * so this code tends to complain rather too often,
414 * Specifying 'installboot -f' will delete the old BPB info.
415 */
416 if (!(params->flags & IB_FORCE)) {
417 #define USE_F ", use -f (may invalidate filesystem)"
418 /*
419 * For FAT compatibility, the pbr code starts 'jmp xx; nop'
420 * followed by the BIOS Parameter Block (BPB).
421 * The 2nd byte (jump offset) is the size of the nop + BPB.
422 */
423 if (bootstrap.b[0] != 0xeb || bootstrap.b[2] != 0x90) {
424 warnx("No BPB in new bootstrap %02x:%02x:%02x" USE_F,
425 bootstrap.b[0], bootstrap.b[1], bootstrap.b[2]);
426 return 0;
427 }
428
429 /*
430 * Find size of old BPB, and copy into new bootcode
431 *
432 * The 2nd byte (b[1]) contains jmp short relative offset.
433 * If it is zero or some invalid input that is smaller than 9,
434 * it will cause overflow and call is_zero() with enormous size.
435 * Add a paranoid check to prevent this scenario.
436 *
437 * Verify that b[0] contains JMP (0xeb) and b[2] NOP (0x90).
438 */
439 if (disk_buf.b[0] == 0xeb && disk_buf.b[1] >= 9 &&
440 disk_buf.b[2] == 0x90 &&
441 !is_zero(disk_buf.b + 3 + 8, disk_buf.b[1] - 1 - 8)) {
442 struct mbr_bpbFAT16 *bpb = (void *)(disk_buf.b + 3 + 8);
443 /* Check enough space before the FAT for the bootcode */
444 u = le16toh(bpb->bpbBytesPerSec)
445 * le16toh(bpb->bpbResSectors);
446 if (u != 0 && u < params->s1stat.st_size) {
447 warnx("Insufficient reserved space before FAT "
448 "(%u bytes available)" USE_F, u);
449 return 0;
450 }
451 /* Check we have enough space for the old bpb */
452 if (disk_buf.b[1] > bootstrap.b[1]) {
453 /* old BPB is larger, allow if extra zeros */
454 if (!is_zero(disk_buf.b + 2 + bootstrap.b[1],
455 disk_buf.b[1] - bootstrap.b[1])) {
456 warnx("Old BPB too big" USE_F);
457 return 0;
458 }
459 u = bootstrap.b[1];
460 } else {
461 /* Old BPB is shorter, leave zero filled */
462 u = disk_buf.b[1];
463 }
464 if (params->s1start != 0)
465 /* Fixup physical offset of filesystem */
466 bpb->bpbHiddenSecs = htole32(params->s1start);
467 memcpy(bootstrap.b + 2, disk_buf.b + 2, u);
468 }
469 #undef USE_F
470 }
471
472 /*
473 * Fill in any user-specified options into the
474 * struct x86_boot_params
475 * that follows the magic number.
476 * See sys/arch/i386/stand/bootxx/bootxx.S for more information.
477 */
478 if (update_i386_boot_params(params, (void *)(magic + 1)))
479 return 0;
480
481 if (params->flags & IB_NOWRITE) {
482 return 1;
483 }
484
485 /* Copy new bootstrap data into disk buffer, ignoring label area */
486 memcpy(&disk_buf, &bootstrap, 512);
487 if (params->s1stat.st_size > 512 * 2) {
488 memcpy(disk_buf.b + 2 * 512, bootstrap.b + 2 * 512,
489 params->s1stat.st_size - 2 * 512);
490 /* Zero pad to 512 byte sector boundary */
491 memset(disk_buf.b + params->s1stat.st_size, 0,
492 (8192 - params->s1stat.st_size) & 511);
493 }
494
495 return write_boot_area(params, disk_buf.b, sizeof disk_buf.b);
496 }
497
498 static int
i386_editboot(ib_params * params)499 i386_editboot(ib_params *params)
500 {
501 int retval;
502 uint8_t buf[512];
503 ssize_t rv;
504 uint32_t magic;
505 uint32_t offset;
506 struct x86_boot_params *bpp;
507
508 assert(params != NULL);
509 assert(params->fsfd != -1);
510 assert(params->filesystem != NULL);
511
512 retval = 0;
513
514 /*
515 * Read in the existing bootstrap.
516 * Look in any of the first 4 sectors.
517 */
518
519 bpp = NULL;
520 for (offset = 0; offset < 4 * 512; offset += 512) {
521 rv = pread(params->fsfd, &buf, sizeof buf, offset);
522 if (rv == -1) {
523 warn("Reading `%s'", params->filesystem);
524 goto done;
525 } else if (rv != sizeof buf) {
526 warnx("Reading `%s': short read", params->filesystem);
527 goto done;
528 }
529
530 /* Magic number is 4 bytes in (to allow for a jmps) */
531 /* Also allow any of the magic numbers. */
532 magic = le32toh(*(uint32_t *)(buf + 4)) | 0xf;
533 if (magic != (X86_BOOT_MAGIC_1 | 0xf))
534 continue;
535
536 /* The parameters are just after the magic number */
537 bpp = (void *)(buf + 8);
538 break;
539 }
540 if (bpp == NULL) {
541 warnx("Invalid magic in existing bootstrap");
542 goto done;
543 }
544
545 /*
546 * Fill in any user-specified options into the
547 * struct x86_boot_params
548 * that's 8 bytes in from the start of the third sector.
549 * See sys/arch/i386/stand/bootxx/bootxx.S for more information.
550 */
551 if (update_i386_boot_params(params, bpp))
552 goto done;
553
554 if (params->flags & IB_NOWRITE) {
555 retval = 1;
556 goto done;
557 }
558
559 /*
560 * Write boot code back
561 */
562 rv = pwrite(params->fsfd, buf, sizeof buf, offset);
563 if (rv == -1) {
564 warn("Writing `%s'", params->filesystem);
565 goto done;
566 } else if (rv != sizeof buf) {
567 warnx("Writing `%s': short write, %zd bytes (should be %zu)",
568 params->filesystem, rv, sizeof(buf));
569 goto done;
570 }
571
572 retval = 1;
573
574 done:
575 return retval;
576 }
577